Guides

Securing AutoGen Agents

Secure Microsoft AutoGen multi-agent conversations with AgentCop scanning and execution controls.

AutoGen-specific risks

AutoGen's design philosophy is to automate code generation and execution between agents. This makes it uniquely powerful — and uniquely dangerous if not secured.

  • Code execution by default — AutoGen's AssistantAgent generates and executes code as a core feature, not a side effect. Every LLM response that contains code is a potential execution vector.
  • Conversation injection — messages from one agent can inject instructions into another. Multi-agent conversations create a chain of trust; compromise any link and you own the rest.
  • Uncontrolled human proxyUserProxyAgent's code execution runs directly in your host environment. The default configuration executes arbitrary code produced by the LLM without containerization or approval.

Scanning AutoGen code

The AgentCop scanner detects hardcoded API keys, uncontrolled execution directories, missing docker isolation, and disabled human oversight in AutoGen configurations.

python
import httpx

result = httpx.post("https://api.agentcop.live/api/scan", json={
    "code": open("autogen_workflow.py").read(),
    "description": "AutoGen two-agent coding workflow"
}).json()

The dangerous default

This is AgentBob's AutoGen setup. The hardcoded API key will be flagged immediately. The work_dir="/" combined with human_input_mode="NEVER" means the LLM can run any code in the root of your filesystem, unattended.

python
import autogen

# AgentBob's AutoGen setup — code execution enabled by default
config_list = [{"model": "gpt-4", "api_key": "sk-abc123"}]  # LLM06: hardcoded key

assistant = autogen.AssistantAgent(
    name="assistant",
    llm_config={"config_list": config_list},
)

# UserProxyAgent with code execution enabled — runs ANY code the LLM suggests
user_proxy = autogen.UserProxyAgent(
    name="user_proxy",
    code_execution_config={"work_dir": "/"},  # LLM08: runs in root directory
    human_input_mode="NEVER",  # No human approval
)

user_proxy.initiate_chat(assistant, message=user_input)  # Prompt injection vector

Safe AutoGen pattern

Three changes make this configuration safe: API key from environment, Docker isolation for code execution, and human approval required before any agent action.

python
import autogen
import os

config_list = [{"model": "gpt-4", "api_key": os.getenv("OPENAI_API_KEY")}]  # Safe

assistant = autogen.AssistantAgent(
    name="assistant",
    llm_config={"config_list": config_list},
    system_message="You are a helpful assistant. Only suggest safe, reversible actions.",
)

user_proxy = autogen.UserProxyAgent(
    name="user_proxy",
    code_execution_config={
        "work_dir": "/workspace/sandbox",   # Scoped directory
        "use_docker": True,                  # Containerized execution
        "timeout": 30,                       # Bounded runtime
    },
    human_input_mode="ALWAYS",              # Require human approval
    max_consecutive_auto_reply=3,           # Prevent runaway loops
)

Checklist

  • API keys from environment, never hardcoded
  • use_docker=True for code execution
  • work_dir scoped to a sandboxed directory
  • human_input_mode="ALWAYS" for production
  • max_consecutive_auto_reply bounded
← CrewAI OpenClaw →